This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
advanced-dhcpdns [2023/04/25 14:28] – rs232 | advanced-dhcpdns [2023/04/29 21:06] – [DHCP Client (WAN)] -clarity, condense hogwild | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== DHCP/ | ====== DHCP/ | ||
- | The Advanced / DHCP/ | + | The DHCP/DNS/TFTP menu allows you to configure advanced settings for the DHCP, DNS and TFTP services for both the LAN and WAN. Most of this functionality is provided by [[https:// |
+ | |||
===== DHCP Client (WAN) ===== | ===== DHCP Client (WAN) ===== | ||
Line 10: | Line 12: | ||
{{: | {{: | ||
- | **Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. | + | **Enable DNSSEC support: ** DNSSEC is a way to secure DNS by introducing authentication for DNS servers. This prevents DNS hacking and poisoning. |
- | **Use dnscrypt-proxy: | + | **Use dnscrypt-proxy: |
+ | |||
+ | \\ | ||
When dnscrypt-proxy is checked, the following options/ | When dnscrypt-proxy is checked, the following options/ | ||
- | * Ephemeral Keys - If checked, a new key pair is generated for each DNS query. Use with care, this is very cpu-intensive. It may slow DNS resolution. | + | * Ephemeral Keys - If checked, a new key pair is generated for each DNS query. Use with care, as this is very cpu-intensive. It may slow DNS resolution. |
* Manual Entry - If enabled, 3 more fields are displayed: | * Manual Entry - If enabled, 3 more fields are displayed: | ||
* Resolver Address - The IP address of the dnscrypt-enabled DNS server, for example 1.2.3.4; | * Resolver Address - The IP address of the dnscrypt-enabled DNS server, for example 1.2.3.4; | ||
Line 22: | Line 26: | ||
* Provider Public Key - A public key provided by the DNSCRYPT-enabled DNS provider used to generate a valid key pair \\ e.g. 0000: | * Provider Public Key - A public key provided by the DNSCRYPT-enabled DNS provider used to generate a valid key pair \\ e.g. 0000: | ||
* Resolver - This dropdown list currently contains about 200 DNS servers. Some support DNSSEC. Some don't log queries. Some are filtered. To help you choose a DNSCrypt DNS provider, import the file / | * Resolver - This dropdown list currently contains about 200 DNS servers. Some support DNSSEC. Some don't log queries. Some are filtered. To help you choose a DNSCrypt DNS provider, import the file / | ||
- | * Priority - Leave this at // | + | * Priority - Leave this at // |
- | * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato' | + | * Local Port - Specifies the port on which dnscrypt-proxy communicates with FreshTomato DNS. It is recommended that you leave this at 40 unless you know why you're changing |
- | * Log Level - This sets the level of messages logged | + | * Log Level - When enabled, this sets the level of messages logged |
**Use Stubby (DNS-over-TLS): | **Use Stubby (DNS-over-TLS): | ||
+ | |||
+ | \\ | ||
When Stubby is enabled some extra options are appearing on your configuration: | When Stubby is enabled some extra options are appearing on your configuration: | ||
Line 32: | Line 38: | ||
{{: | {{: | ||
- | ** Upstream resolvers: | + | \\ |
- | ** Priority:** | + | **Upstream resolvers:** Here, you can specify the upstream servers responsible |
- | * Strict-Order = prefer Stubby but if this is experiencing issue fail back to "other way of resolve names" e.g. standard DNS resolution | + | |
- | * No-Resolv = If Stubby fails or has issue you will want DNS resolution not to be failed back anywhere. A.k.a. Stubby or nothing. | + | |
- | * None = This option adds stubby as a resolution method | + | |
- | ** Local Port:** The port number where Stubby is serving clients. Also note the only client for Stubby will actually be dnsmasq and this latter serves the end clients. | + | **Priority:** |
- | ** Log Level:** Define here the log verbosity needed. | + | |
+ | | ||
+ | | ||
- | ** Force TLS1.3:** Impose | + | **Local Port:** The port number on which Stubby will serve clients. Note that dnsmasq will be the only client |
- | **WINS (for DHCP):** Here, you can specify the IP address | + | **Log Level:** Allows |
- | Windows Internet Name Service (WINS) is a legacy name registration and resolution service | + | **Force TLS1.3: |
+ | |||
+ | **WINS (for DHCP):** Here you specify the IP address of a WINS Server that will be given to DHCP clients. This does NOT actually enable the WINS service. FreshTomato' | ||
+ | |||
+ | Windows Internet Name Service (WINS) is a legacy name registration and resolution service | ||
**DHCPC Options: | **DHCPC Options: | ||
Line 126: | Line 135: | ||
**Enable TFTP**: Starts the dnsmasq' | **Enable TFTP**: Starts the dnsmasq' | ||
- | **TFTP root path**: | + | **TFTP root path**: |
**PXE on LANx (brx)**: Allows PXE (Pre Boot Execution) on one or more bridges. PXE is designed for diskless clients where a PXE client can just obtain an IP via DHCP and a TFTP location where the booting code is to be found (syslinux is for example a good application for this). | **PXE on LANx (brx)**: Allows PXE (Pre Boot Execution) on one or more bridges. PXE is designed for diskless clients where a PXE client can just obtain an IP via DHCP and a TFTP location where the booting code is to be found (syslinux is for example a good application for this). | ||
- | |||
===== DHCP / DNS Notes ===== | ===== DHCP / DNS Notes ===== | ||
- | * Do not use results from: [[https:// | + | * Do not use results from: [[https:// |
- | * DNSSEC and DNSCrypt / Stubby complement each other. | + | * DNSSEC and DNSCrypt / Stubby complement each other. |